SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   PC-to-Phone (Deltathree) Vendors:   Deltathree.com
Deltathree's PC-to-Phone Application Discloses Passwords to Local Users
SecurityTracker Alert ID:  1002639
SecurityTracker URL:  http://securitytracker.com/id/1002639
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 26 2001
Impact:   Disclosure of authentication information, Disclosure of user information
Vendor Confirmed:  Yes  
Version(s): 3.0.3, possibly earlier versions
Description:   A vulnerability was reported in Deltathree's PC-to-Phone application. Usernames and passwords are stored in plain text in a world-readable file on the local system.

It is reported that the account number and the password is stored in the "temp.html" file in the PC-to-Phone install directory, which is world-readable. A local user can look up the account number and password of any currently logged in user.

The log and PhoneBook folders are also shared among all users on the system and can be viewed by any local user.

Impact:   A local user can obtain PC-to-Phone account numbers and passwords.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.
Vendor URL:  www.iconnecthere.com/nonmembers/eng/pc_to_phone_product.html (Links to External Site)
Cause:   Access control error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.


 Source Message Contents

Date:  Thu, 25 Oct 2001 02:31:23 -0400
Subject:  Pc-to-Phone vulnerability - broken by design


Dear Sirs,

This is to report a security vulnerability in DeltaThree's Pc-To-Phone
product, version 3.0.3 (latest version), and possibly earlier versions.
This security flaw was first reported to DeltaThree/iConnectHere on October
3, 2001, where I told the company about the security flaw, how it could be
fixed, and that I expected a confirmation of the problem within 7 days, and
that I would disclose the nature of the security flaw to the public after 21
days.

This is the part of my email contacting DeltaThree/iConnectHere where I
specified the problem:

> Both the account number AND
> password is stored in a file "temp.html" in the PC to Phone install
> directory, which is world readable.  Any user on a multiuser-system
> can look up the account number and password of any currently logged
> in user (or the last user in case of a program/system crash)!
> The same goes for the log and PhoneBook folders, which are *shared*
> among all users on a system.
> The program *must* be changed to use "%APPDATA%\PC to Phone\"
> or similar instead of the install dir for sensitive data
> (temp.html, log and PhoneBook).

Yesterday, after contacting the Technical VP of DeltaThree, Mark Gazit (who
should be well known to BugTraq), I got the following answer from the
company:

--- cut here ---
Dear Mr. Hagen,

I am the Product Manager for PC2Phone, and I wanted you to know that I
received your e-mail and that I sincerely thank you for drawing this
issue to our attention.

deltathree has rallied around solving this issue, and is committed to
providing a comprehensive and expedient solution.  To update you on our
progress, it appears that this bug cannot be addressed by a quick hot
fix; we will need to do some significant development work.  We have
adjusted our development priorities accordingly and are committed to
releasing a new version of PC2Phone in the upcoming quarter.

Based on your e-mail, we will have decided to (just this afternoon)
provide different dialers for multi-user and single-user/secure systems.
In the latter, the user will be able to store neither the account nor
the password, thus mitigating the potential security issue you
identified.  In the multi-user system, we will ensure that all data is
properly secured.

On behalf of all of deltathree and iConnectHere's customers, I thank you
for bringing this to our attention.  Based on user feedback, we are able
to offer ever-improving products and services, and we sincerely
appreciate this opportunity to serve you better.

Sincerely,

Jennifer Alexander
Product Manager, Access Devices
jennifera@deltathree.com
212-500-4855
--- cut here ---


As PC-to-Phone is a popular service, and many users may not want others to
see their account details (including account passwords usable for billing
purposes!) and log of phone calls, I feel that it's appropriate that the
security flaw now be made public, so people can take necessary precautions
like installing the program in a secure directory.
Until a new version is available next quarter, it may be in the public's
best interest to know.

Regards,
--
*Art

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC